IoT Product Safety: If It Appears Too Good to Be ...

Network Computing Dark Reading

Advertise

About Us

Oldest First | Newest First | Threaded View

[close this box]

ccashell,
User Rank: Apprentice
3/12/2018 | 11:47:00 PM

Seriously? The misinformation is strong with this one.

Wow, there is a lot of misinformation, confusion, and good old fashioned "Fear, Uncertainty, and Doubt" (FUD) in this article. It almost reads like a paid piece from a hardware manfuacturer.

I'm a little amazed that someone would write such a weak and unsubstatianted article in a time when Linux has become the foundation of most mobile and many IoT devices. When every Android smartphone has it's base operating system source code available for anyone, your argument needs a lot more than vague hints and bad analogies to be reasonable.

The simple fact is that IoT devices are in such a horrible and sad state with regards to security that it's hard to imagine how it could get much worse. Mandating that information is available for people and communities to attempt to improve or fix issues at least leads to options.

I want to write more, but it's just hard to even take this article seriously.

Reply | Post Message | Messages List | Start a Board

stephen56,
User Rank: Apprentice
3/17/2018 | 3:08:08 PM

IOT devices are insecure by design, not repair

Ugh. So much speculation and so few facts.

First, anyone that has actuallty read the proposed legislation in 18 states would notice that the only information, firmware, parts, tools and diagnostics required are those ALREADY being provided to thousands of repair techs around the world. None of this information is secret, and most of it is arleady available illegally in asia. Legislation is carefully targeted for the sole purpose of allowing legal competition for repair services at the choice of the owner.

Even when the equipment being repaired is being used for a security function (such as a security camera), the application run on cpu within the camera is irrelevant to repair. The camera either passes a signal correctly or it does not. Someone has to repair the camera, and give it back to the owner. Its the owner that cares about his or her security -- and its still the owner that gets to decide whom to trust for repair.

If anyone has any doubts of the responsibility of the OEM to protect the security of the owner, just read the purchase contract closely, Every contract always dislaims responsibility for how equipment is used and carefull limits their risk and potential damages in that contract.

As to actual cyber risk -- equipnent is either secure by design, or insecure. Sadly, millions of IOT devices are being thrown into the marketplace with weak or absent security -- allowing botnets and other hacks to proliferate worldwide. These devices are already up and running and attached to a network, unlike devices which are broken and offline. Equipment under repair is among the most secure because its offline.

Opponents to Right to Repair have gleefully suggested that consumers will lose personal data without any explaination of how that might happen. We've yet to hear of anyone losing personal data as the result of an iPhone repair -- because Apple does an excellent job of security and encryption. Apple has even stated publically that despite their source code being posted on the internet, personal security was never at risk.

Happy to discuss any real examples of how repair as a business has made IOT devices less secure.

Reply | Post Message | Messages List | Start a Board

Editors' Choice

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry

David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP, 7/9/2021

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Robert Lemos, Contributing Writer, 7/7/2021

It's in the Game (but It Shouldn't Be)

Tal Memran, Cybersecurity Expert, CYE, 7/9/2021

Live Events

Webinars

Understanding Cyber Attackers - A Dark Reading Nov 17 Event

Black Hat Europe - December 5-8 - Learn More

Black Hat Middle East & Africa - November 15-17 - Learn More

More Informa Tech Live Events

White Papers

Addressing Cyber Risk Starts with Understanding Cyber Risk

Why Legacy Point Tools Are Failing in Today's Environment

State of Attack Surface Management: A Crisis of Overconfidence

Cloud Incident Response At a Glance

Sumo Logic for Continuous Intelligence

More White Papers

Cartoon

Latest Comment: I've heard of people walking right out the front door with entire servers...

Cartoon Archive

Current Issue

How Machine Learning, AI & Deep Learning Improve Cybersecurity

Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Incident Readiness and Building Response Playbook

In this special report, learn the Xs and Os of any good security incident readiness and response playbook.

Download Now!

Battle for the Endpoint

0 comments

How Enterprises are Developing Secure Applications

0 comments

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2022-40942
PUBLISHED: 2022-09-28

Tenda TX3 US_TX3V1.0br_V16.03.13.11 is vulnerable to stack overflow via compare_parentcontrol_time.

CVE-2022-40912
PUBLISHED: 2022-09-28

ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 is vulnerable to Cross Site Scripting (XSS). Input passed to the GET parameter 'action' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in cont...

CVE-2022-22523
PUBLISHED: 2022-09-28

An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled.

CVE-2022-22524
PUBLISHED: 2022-09-28

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .

CVE-2022-22525
PUBLISHED: 2022-09-28

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]